cancel
Showing results for 
Search instead for 
Did you mean: 

checking ldap user and radius attribute on NAC Authentication

checking ldap user and radius attribute on NAC Authentication

PeterK
Contributor II

Hi,

I’m currently on a migration process from Microsoft NPS to Extreme Control.

We have a Cisco ASA as VPN-Gateway.

I will authenticate VPN-Users and Mgmt-Logins.

In the past we separate this with different “called-station-id” values.

Can I realize this with NAC? AFAIK I can’t check/match LDAP-Criteria (LDAP-User-Group) and Radius-Attribute (Radius-User-Group) at the same time.

Or Is there a way to realize this?

1 ACCEPTED SOLUTION

Tomasz
Valued Contributor II

Hi Mig, Peter,

 

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

 

Hope that helps,

Tomasz

View solution in original post

8 REPLIES 8

Tomasz
Valued Contributor II

Hi Peter,

 

This idea came to my mind as in the past there were some issues with LDAP Configuration having both user and computer lookup settings and for computer authentication a separate LDAP Configuration had to be made, with computer-specific attributes and object type in user lookup fields. I don’t remember why it was so, but if it worked, the opposite should also work. Labels are just labels. 😉

 

Cheers,

Tomasz

PeterK
Contributor II

Hi Tomasz,

thanks for that idea.

That would be a very dirty workaround, but it should work.

I will test this. I’m excited how that will look in End-System View.

Tomasz
Valued Contributor II

Hi Mig, Peter,

 

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

 

Hope that helps,

Tomasz

Miguel-Angel_RO
Valued Contributor II

Hi Peter,

I don’t think you can match both at the same time because they are both “User-Group” type.

Can you set an empty called-station-id instead of LAN-IP?

If so, Control will treat this as management access

Mig

GTM-P2G8KFN